SSL for management interface

Forgot to add: I'm using the BIGIP 9.x

Hi Ben,

 

 

You can import a new cert for the management GUI under System >> Device Certificates. The expected format for the cert and key is PEM.

 

 

Aaron

Yep, I tried this. It still seems to be using the localhost.localdomain cert which came with the unit.

 

 

I could try deleting this default certificate however I'm worried I might break access to the management interface.

 

 

Any other ideas?

That should be it. Can you try restarting httpd, by running 'bigstart restart httpd' on the command line?

 

 

Aaron

Yes, that did the trick. Thanks!

 

 

I do however need to use a keychain, is that possible?

I think you should be able to concatenate the main cert and intermediate cert(s) together when you import them to the BIG-IP.

 

 

Aaron

Yep, I tried this using the same method as when I setup the certs for virtual servers. Even tho the import goes ok, it seems that it doesn't accept the whole chain, this is verified by exporting what I have just imported.

That's odd. I tested by importing a cert and intermediate bundle. The GUI shows the certs, but when connecting with openssl s_client, I only see the primary cert.

 

 

I guess could manually edit the ssl.conf (/config/httpd/conf.d/ssl.conf) and specify the chain in:

 

 

 

Server Certificate Chain:

 

Point SSLCertificateChainFile at a file containing the

 

concatenation of PEM encoded CA certificates which form the

 

certificate chain for the server certificate. Alternatively

 

the referenced file can be the same as SSLCertificateFile

 

when the CA certificates are directly appended to the server

 

certificate for convinience.

 

SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt

 

 

 

 

You'd need to copy the intermediate cert to the directory and then restart httpd again.

 

 

It might also be good to include the modified ssl.conf in the files saved in a UCS.

 

 

SOL4422: Viewing and modifying the files that are configured for inclusion in a UCS archive

 

https://support.f5.com/kb/en-us/solutions/public/4000/400/sol4422.html?sr=451055

 

 

Locate this line:

 

 

save.2221.ignore = /config/httpd/conf.d/ssl.conf

 

 

And replace ignore with file:

 

 

save.2221.file = /config/httpd/conf.d/ssl.conf

 

 

During an upgrade, you’ll need to do a manual diff of the new ssl.conf and the saved copy to make sure the ssl.conf file hasn’t changed. If it has changed, you should modify the updated ssl.conf to add the chain file.

 

 

It might be good to run this by F5 Support though to see whether there is/should be an option for specifying a chain cert for the management GUI, and the above steps are a valid workaround.

 

 

Aaron